key one chung december, 2004 - iowa state university codes.pdfgoppa codes key one chung ’ & $...

Goppa Codes Key One Chung

'

&

$

%

Goppa Codes

Key One Chung

December, 2004

Department of Mathematics, Iowa State University,

Ames, Iowa 50011-2064

email: [email protected]


'

&

$

%

Contents

1. Introduction

1.1 Linear Codes

1.2 Bounds on Codes

1.3 Reed-Solomon Codes

2. Goppa Codes

2.1 Introduction to Goppa Codes

2.2 Algebraic and Projective Curves

2.3 Nonsingularity and the Genus

2.4 Points, Functions, Divisors on Curves

2.5 Good Codes from Algebraic geometry

3. McEliece Cryptosystem


'

&

$

%

1 Introduction

1.1 Linear Codes

Definition. A linear code C(n, k) over a field F is a vector subspace of Fn with

dimension k. n is called the length of the code C . The minimum distance of C is

d := min{d(x, y)|x, y ∈ C, x 6= y}, where d(x, y) is the Hamming distance.

(n, k, d) is called the parameter of C .

If a basis for C is {r1, . . . , rk}, then

G =

r1

r2

...

rk

is a generator matrix for C , and C = {uG|u ∈ F k}.


'

&

$

%

What is a good code?

Why are d and k of C important?

• dimension k: the larger, the better

We may think of each codeword as having k information symbols and n− k

checks. So, large k with respect to n makes an efficient code.

• minimum distance d: the larger, the better

We can correct up to bd−12 c errors.

How good can a code be?


'

&

$

%

1.2 Bounds on Codes

Theorem (Singleton Bound). Let C(n, k) be a linear code of minimum

distance d over Fq . Then, d ≤ n− k + 1.

Given n, both k and d cannot be large.

Definition. Let q be a prime power and let n, d be positive integers with d ≤ n.

Then the quantity Aq(n, d) is defined as the maximum value of M such that

there is a code over Fq of length n with M codewords and minimum distance d.

Let Vq(n, r) denote the number of elements in the ball of radius r centered at x,

for any x ∈ Fnq . Then, Vq(n, r) =

∑ri=0

(ni

)(q − 1)i.

Theorem (Gilbert-Varshamov Bound). Aq(n, d) ≥ qn/Vq(n, d− 1).


'

&

$

%

Asymptotic Bounds

Definition. Let C be a code over Fq of length n with qk codewords and

minimum distance d. The information rate of C is R := k/n and the relative

minimum distance of C is δ := d/n.

Note that 0 ≤ R, δ ≤ 1, and C is a good code if both R and δ are close to 1.

Definition. Let q be a prime power and δ ∈ R with 0 ≤ δ ≤ 1. Then

αq(δ) := lim supn→∞

1n

logq Aq(n, δn).

αq(δ) is the largest R such that there is a sequence of codes over Fq with

relative minimum distance converging to δ and information rate converging to R.


'

&

$

%

Set θ = 1− 1/q.

We define a function Hq(x) on 0 ≤ x ≤ θ by

Hq(x) := 0, if x = 0

x logq(q − 1)− x logq x− (1− x) logq(1− x), if 0 < x ≤ θ.

The function Hq is called the Hilbert entropy function.

Theorem (Asymptotic Gilbert-Varshamov Bound). For any δ with 0 ≤ δ ≤ θ,

we have αq(δ) ≥ 1−Hq(δ).

The Gilbert-Varshamov Bound was the best known lower bound on αq(δ) for a

full 30 years following its original discovery in 1952. In 1982, the existence of a

sequence of codes having better than The Gilbert-Varshamov Bound was first

proven by Tsfasman, Vladut, and Zink using Goppa codes.


'

&

$

%

1.3 Reed-Solomon Codes

Definition. Lr := {f ∈ Fq[x]|deg(f) ≤ r}⋃{0}Note that Lr is a vector subspace over Fq .

Definition. F∗q = {α1, . . . , αq−1} and 1 ≤ k ≤ q − 1. Then the

Reed-Solomon code RS(k, q) is defined to be

RS(k, q) := {(f(α1), . . . , f(αq−1))|f ∈ Lk−1}.

It is an image of a linear transformation ε : Lk−1 → Fq−1q given by

ε(f) = (f(α1), . . . , f(αq−1)).

Parameters of RS(k, q) are n = q − 1, dim C = k, and d = n− k + 1.


'

&

$

%

• By singleton bound, given n = q− 1 and dimension k, RS(k, q) is the best.

• However, it is a very restrictive class of codes because the length is so small

with regard to the alphabet size. (q-1,q)

• In practice, we want to work with codes which are long with respect to the

alphabet size.


'

&

$

%

2 Goppa Codes

2.1 Introduction to Goppa Codes (1981)

1. Choose a finite field Fq .

2. Choose a projective nonsingular plane curve X over Fq .

3. Pick n distinct Fq-rational points

P = {P1 . . . , Pn} ⊂ X(Fq) on X.

4. Choose a divisor D on X such that P⋂supp(D) = ∅.

5. Goppa code

C(X,P, D) := {(f(P1, . . . , f(Pn)))|f ∈ L(D)} ⊂ Fnq .


'

&

$

%

Note

1. dim C = dim L(D)

2. If {f1, . . . , fk} is a basis for L(D) over Fq , then

f1(P1) · · · f1(Pn)...

. . ....

fk(P1) · · · fk(Pn)

is a generator matrix for C .

3. It is the first infinite family of codes whose parameters beats the

Gilbert-Varshamov bound.


'

&

$

%

2.2 Algebraic and Projective Curves

k denotes the algebraic closure of the field k.

Definition. We define the affine place A2(k) to be the set k2.

Definition. If f ∈ k[x, y], then the affine(algebraic) curve is defined to be

Cf := {P ∈ A2|f(P ) = 0}.

Let X be an algebraic curve over k. Then,

I(X) = {f ∈ k[x, y]|f(P ) = 0 for all P ∈ X}

is an ideal of k[x, y]. The quotient ring Γ(X) = k[x, y]/I(X) is called the

coordinate ring of X .


'

&

$

%

Example. f(x, y) = y − x2 and g(x, y) = y − c ∈ R[x, y].

In R, if c > 0, then we have two intersections.

If c = 0, then we have a single intersection of multiplicity 2.

In C = R, |Cf

⋂Cg| = 2.

If g(x, y) = x− c, then we have one intersection. However, if we regard Cf

and Cg intersect once at “infinity” as well, then |Cf

⋂Cg| = 2.


'

&

$

%

For given f(x, y) ∈ k[x, y], we construct the polynomial

F (X, Y, Z) = Zdf(X/Z, Y/Z) ∈ k[X,Y, Z]

where d = deg(f). The polynomial F is called the homogenization of f .

Observation

• f(x0, y0) = 0⇔ F (x0, y0, 1) = 0

• For any α ∈ k∗, we have F (αX, αY, αZ) = αdF (X, Y, Z).

So, F (X0, Y0, Z0) = 0⇔ F (αX0, αY0, αZ0) = 0 for all α ∈ k∗.

⇒We identify the solutions (X0, Y0, Z0) and (αX0, αY0, αZ0).

• Since F is homogeneous, F (0, 0, 0) = 0.

⇒We ignore the solution (0, 0, 0) of F = 0.


'

&

$

%

Definition. The projective plane is

P2(k) := (k3\{(0, 0, 0)})/ ∼

where (X0, Y0, Z0) ∼ (X1, Y1, Z1) if and only if there is some α ∈ k∗ with

X1 = αX0, Y1 = αY0, and Z1 = αZ0. We write (X0 : Y0 : Z0) for the

equivalence class of (X0, Y0, Z0) in P2.

By multiplying through by a unit, we have

P2(k) = {(X0 : Y0 : 1)|X0, Y0 ∈ k}⋃{(X0 : 1 : 0)|X0 ∈ k}

⋃{(1 : 0 : 0)}.

Any point of the form (X : Y : 0) is called a point at infinity.


'

&

$

%

Definition. Let F be the homogenization of f . Then the projective curve of F is

Cf := {(X0 : Y0 : Z0) ∈ P2(k)|F (X0, Y0, Z0) = 0}.

Example. f(x, y) = y − x2, g(x, y) = x− c. What is Cf

⋂Cg?

F (X, Y, Z) = Z2(Y/Z − (x/Z)2) = Y Z −X2

G(X, Y, Z) = X − cZ

When Z = 1, Y = X2 and X = c. So, we have (c : c2 : 1).

When z = 0, X = 0 = X2. So, we have (0 : 1 : 0).

Therefore, |Cf

⋂Cg| = 2.

Theorem (Bezout’s Theorem). If f, g ∈ k[x, y] are polynomials of degree d

and e respectively, then Cf and Cg intersect in at most de points. Further, Cf

and Cg intersect in exactly de points of P2(k), when points are counted with

multiplicity.


'

&

$

%

2.3 Nonsingularity and the Genus

For coding theory, we only want to work with “nice” curves. Since we have already

decided to restrict ourselves to plane curves, the only other restriction we will

need is that our curve will be nonsingular.

Definition. Let f(x, y) ∈ k[x, y]. A singular point of Cf is a point p ∈ k × k

such that f(p) = fx(p) = fy(p) = 0. The curve Cf is nonsingular if it has no

singular points. If F is the homogenization of f , then P ∈ P2(k) is a singular

point of Cf if f(P ) = FX(P ) = FY (P ) = FZ(P ) = 0. The curve Cf is

nonsingular if it has no singular points.

Note. Intuitively, a singular point is a point where the curve does not have a

well-defined tangent line, or where it intersects itself.

Definition (Plucker Formula). Let f(x, y) ∈ k[x, y] be a polynomial of degree

d such that Cf is nonsingular. Then the genus of Cf (or of Cf ) is defined to be

g :=(d− 1)(d− 2)

2.


'

&

$

%

2.4 Points, Functions, Divisors on Curves

Definition. Let C be the projective plane curve defined by F = 0, where

F ∈ k[X,Y, Z] is a homogeneous polynomial. Let K be an extension field of k.

We define a K-rational point on C to be a point (X0, Y0, Z0) ∈ P2(K) such

that F (X0, Y0, Z0) = 0. C(K) denotes the set of all K-rational points on C .

Definition. Let C be a nonsingular projective plane curve. A point of degree n

on C over Fq is a set P = {P0, . . . , Pn−1} of n distinct points in C(Fqn)such that Pi = σi

q,n(P0) for i = 1, . . . , n− 1, where σiq,n : Fqn → Fqn is

the Frobenius automorphism with σq,n(α) = αq .

Note. Elements of C(k) are called points of degree one or simply rational points.


'

&

$

%

Example. Let C0 be the projective plane curve over F3 corresponding to

f(x, y) = y2 − x3 − 2x− 2 ∈ F3[x, y].

Homogenization; F (X, Y, Z) = Y 2Z −X3 − 2XZ2 − 2Z3 = 0

FX = − 4Z = 2Z = 0

FY = 2Y Z = 0

FZ = Y 2 − 4XZ = Y 2 + 2XZ = 0

⇒ Z = Y = X = 0. So, C0 is nonsingular.

Also, genus g = 2·12 = 1.


'

&

$

%

Now, let’s find points of degree 1(rational points) C0(F3).

y2 − x3 − 2x− 2 = 0

If x = 0, then y2 = 2. No such elements in F3.



So, no rational points of the type (X : Y : 1).

When Z = 0,−X3 = 0. So, X = 0.

So, C0(F3) = {P∞ := (0 : 1 : 0)}.


'

&

$

%

To find the points of degree 2, let’s compute C0(F32) first.

Note that t2 + 1 is irreducible over F3. Then F9 = F3[t]/(t2 + 1).

Let α ∈ F9 corresponding t. Then, F9 = {a + bα|a, b ∈ F3}, where

α2 = −1 = 2. When Z = 1, Y 2 −X3 − 2X − 2 = 0.

If X = 0, Y 2 = 2⇒ Y = α or−α = 2α.

So, (0 : α : 1), (0 : 2α : 1) ∈ C0(F9).

By doing similar computation,

C0(F9) = {(0 : α : 1), (0 : 2α : 1), (1 : α : 1), (1 : 2α : 1),

(2 : α : 1), (2 : 2α : 1), P∞}.

Frobenius map σ3,2 : F9 → F9; α 7→ α3 = 2α

Then, σ3,2(0 : α : 1) = (0 : 2α : 1).

So, we have one point Q1 = {(0 : α : 1), (0 : 2α : 1)} of degree 2.

Similarly, Q2 = {(1 : α : 1), (1 : 2α : 1)}, Q3 = {(2 : α : 1), (2 : 2α : 1)}.

So, we have three points of degree two on C0.


'

&

$

%

Similarly, F33 = F3[t]/(t3 + 2t + 2) and let w ∈ F27 corresponding to t.

Then, we have

C0(F27) = {(w : 0 : 1), (1 + w : 0 : 1), . . . ,

(1 + 2w + 2w2 : 1 + 2w + 2w2 : 1), P∞}.with 28 F27-rational points.

Also, we see that

C0(F27) = R1

⋃· · ·

⋃R9

⋃{P∞}

where R1, . . . , R9 are the nine points of degree three on C0.

For example, R1 = {(w : 0 : 1), (1 + w : 0 : 1), (2 + w : 0 : 1)}.


'

&

$

%

Let C and C ′ be two projective plane curves over Fq defined by polynomials of

degree d and e respectively. Then, the set of points over Fq where they intersect

will cluster into points P1, . . . , Pl of varying degrees over Fq , where a point is

listed more than once if the intersection of the two curves is with multiplicity

greater than one.

Let ri denote the degree of the point Pi over Fq . Then, we have

de = r1 + r2 + · · ·+ rl. In this case, we write

C⋂

C ′ = P1 + · · ·+ Pl

and call C⋂

C ′ the intersection divisor of C and C ′.


'

&

$

%

Definition. • Let C be a curve defined by over Fq . A divisor D on C over Fq

is an element of the free abelian group on the set of points(of arbitrary

degree) on C over Fq .

Thus every divisor is of the form D =∑

nQQ, where the nQ are integers

and each Q is a point (of arbitrary degree) on C .

• If nQ ≥ 0 for all Q, we call D effective and write D ≥ 0.

• We define the degree of the divisor D =∑

nQQ to be

deg D =∑

nQdeg Q.

• the support of the divisor D =∑

nQQ is supp D = {Q|nQ 6= 0}.

Note C⋂

C ′ is an effective divisor of degree de.


'

&

$

%

Definition. Let F (X, Y, Z) be the polynomial which defines the nonsingular

projective plane curve C over the field Fq . The field of rational functions on C is

Fq(C) :=({

g(X, Y, Z)h(X, Y, Z)

|g, h ∈ Fq[X, Y, Z] hom. same deg

} ⋃{0}

)/ ∼

where g/h ∼ g′/h′ if and only if gh′ − g′h ∈ 〈F 〉 ⊂ Fq[X,Y, Z].

Example F (X, Y, Z) = Y 2Z −X3 − 2XZ2 − 2Z3 ∈ F3[X, Y, Z].Then X2/Z2 = (Y 2 + XZ + Z2)/XZ in F3(C0)since

X2(XZ)− Z2(Y 2 + XZ + Z2) = Z(X3 − ZY 2 −XZ2 − Z3) ∈ 〈F 〉.


'

&

$

%

Definition. Let C be a curve defined over Fq and let f := g/h ∈ Fq(C). The

divisor of f is defined to be div(f) :=∑

P −∑Q, where

∑P is the

intersection divisor C⋂

Cg and∑

Q the intersection divisor C⋂

Ch.

Note that since deg(C⋂

Cg) = deg(C⋂

Ch), we have deg div(f) = 0.

Definition. Let D be a divisor on the nonsingular projective plane curve C

defined over the field Fq . Then the space of rational functions associated to D is

L(D) := {f ∈ Fq(C)|div(f) + D ≥ 0}⋃{0}.

Note L(D) is a finite dimensional vector space over Fq .


'

&

$

%

Theorem (Riemann-Roch Theorem). Let C be a nonsingular projective plane

curve of genus g defined over Fq and let D be a divisor on C . Then

dim L(D) ≥ deg D + 1− g. Further, if deg D > 2g − 2, then

dim L(D) = deg D + 1− g.


'

&

$

%

2.5 Good Codes from Algebraic geometry

Theorem. Let X be a nonsingular, projective plane curve of genus g, defined

over Fq . Let P ⊂ X(Fq) be a set of n distinct Fq-rational points on X , and let

D be a divisor on X satisfying 2g − 2 < deg D < n. Then, Goppa code

C := C(X,P, D) is linear of length n, dimension k := deg D + 1− g, and

the minimum distance d, where d ≥ n− deg D.

Note The information rate R of C is k/n = (deg D + 1− g)/n and the

relative minimum distance δ of C is d/n ≥ (n− deg D)/n.

We want R + δ large. We have

R + δ ≥ deg D + 1− g

n+

n− deg D

n= 1 + 1/n− g/n.

So, for given genus g, it is better to have large n ≤ |X(Fq)|.


'

&

$

%

How many rational points can a curve of genus g have?

Theorem (Hasse-Weil). let X be a nonsinguar projective curve of genus g over

Fq and set N = |X(Fq)|. Then

|N − (q + 1)| ≤ 2g√

q.

Theorem (Serre). In the situation of the above theorem, we have

|N − (q + 1)| ≤ gb2√qc


'

&

$

%

3 McEliece Public Key Cryptosystem

3.1 Idea

Syndrome decoding of linear codes (when considered as a decision problem) is

an NP-complete problem if the number of errors is not bounded. However, there

are classes of linear codes which have very fast decoding algorithms. The basic

idea of the McEliece system is to take one of these linear codes and disguise it so

that Oscar, when trying to decrypt a message, is forced to use syndrome

decoding, while Bob, who set up the system, can remove the disguise and use

the fast decoding algorithm. McEliece suggested using Goppa Codes, which are

linear codes with a fast decoding algorithm, in the system, but any linear code

with a good decoding algorithm can be used.


'

&

$

%

3.2 Key Creation

• The private key consists of the matrices (S, G, P ), where S is a random,

invertible k × k matrix, P is a random n× n permutation matrix, and G is

the k × n generator matrix of a Goppa code that corrects up to t errors.

• The public key is the matrix product of the three private matrices, so it is a

k × n matrix G = SGP . Additionally, a number t′ ≤ t has to be advertised

which stands for the number of errors that a sender of a message is allowed

to add to his message. So the public key is (G, t′).


'

&

$

%

3.3 Encryption

The plain text is dissected into blocks of size k bits. For every block a random

error vector of size n that has at most t′ entries is chosen and is added to the

encoding G:

c = mG + e

3.4 Decryption

The receiver multiplies the cipher text with the inverse of the permutation matrix:

c′ = cP−1 = mGP−1 + eP−1 = mSG + eP−1

Since G is a t error correcting code and eP−1 will contain at most the t′ ≤ t

intentional errors, he can quickly Goppa decode into c′ and already has the result

mS. To get the plain text messages he will then multiply with the inverse of S.

m = mSS−1


'

&

$

%

3.5 Security

To be able to use a trap door Goppa code to decipher a message, the inverse

matrices of P and S have to be known. If some unauthorized person does not

have this information, she will face the problem to solve a linear code. With an

average choice of t ≥ 50 and n ≥ 210, this is a very difficult problem.

3.6 Drawbacks

• The size of the public key G is quite large. Using the Goppa code with

parameters suggested by McEliece, the public key would consist of 219 bits.

This will certainly cause implementation problems.

• The encrypted message is much longer than the plaintext message. This

increase of the bandwidth makes the system more prone to transmission

errors.


'

&

$

%

3.7 Discussion

m−−−−→encrypt c

−−−−→encode c′ −−−−−→public line c′ + e

−−−−→decode c

−−−−→decrypt m

m−−−−→encrypt c = mG + e

−−−−−→public line c′ = mG + e + e′ −−−−→decrypt m

Assume that we have a Goppa code C(n, k) with the minimum distance

d = 2t + 1. As we stated, if t ≥ 50 and n ≥ 210, then McEliece Cryptosystem

is considered to be fairly secure. However, we need a big key size. We know that

cellular phone does not require much security. Therefore, it would be a good

problem to find a proper t, t′ and n having a little security for cellular phone and

not so much big key size. In this case, we can correct up to t− t′ errors.


'

&

$

%

References

[1] J.L. Walker, Codes and Curves, American Mathematical Society (2000), 1–44.

[2] J.H. Silverman, The Arithmetic of Elliptic Curves, Springer (1986), 1–44.

[3] P.J. Morandi, Error Correcting Codes and Algebraic Curves, Lecture Notes

(2001), 3–63, http://emmy.nmsu.edu/ pmorandi/math601f01/LectureNotes.pdf.

[4] B. Cherowitzo ,

http://www-math.cudenver.edu/ wcherowi/courses/m5410/ctcmcel.html.

[5] http://entropy.stop1984.com/en/mceliece.html.

key one chung december, 2004 - iowa state university codes.pdfgoppa codes key one chung ’ & $...

Documents